Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Please help me on Winfixer malware

guitarguy99

Posted 19 November 2005 - 02:55 PM

guitarguy99

Member

Member

12 posts

I just got the dreaded Winfixer popups 2 days ago and creating a mess on my PC. I am also receiving popups from WinAntiVirusPro which I'm guessing is related. i am also receiving new popups to pornography sites (not very nice!). These all started happening at the same time.I've never had a problem like this. i run anti-virus and anti-spyware programs. I read over your site rules and have folllowed the instructions for HiJackThis;. Here's my log report:

Please email me at merijn@spywareinfo.com, reporting the following:* What you were trying to fix when the error occurred, if applicable* How you can reproduce the error* A complete HijackThis scan log, if possible

Please email me at merijn@spywareinfo.com, reporting the following:* What you were trying to fix when the error occurred, if applicable* How you can reproduce the error* A complete HijackThis scan log, if possible

This message has been copied to your clipboard.Click OK to continue the rest of the scan.

I hope you can help me--I would really appreciate it. And I could let my daughter back on the computer so she can finish her homework (as I'm worried right now with the dangerous and improper popups.). THANK YOU!!

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.

Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\pmkjk.dll

Press Enter to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\kjkmp.*
This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.

In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\pmkjk.dll

O20 - Winlogon Notify: pmkjk - C:\WINDOWS\system32\pmkjk.dll

After you have fixed these items, close Hijackthis.

Press enter to exit the program then manually reboot your computer.

Once your machine reboots please continue with the instructions below.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

guitarguy99

Posted 19 November 2005 - 09:37 PM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

guitarguy99

Posted 20 November 2005 - 02:20 PM

guitarguy99

Member

Topic Starter

Member

12 posts

Hi CRETEMONSTER:

Thanks for your advice-here's what I did.

1. I ran Hijackthis as advised and it seemed to work fine-I did did get one eror message when it first started. Here's the message:An unexpected error has occurred at procedure: modMain_CheckOther1Item()Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:* What you were trying to fix when the error occurred, if applicable* How you can reproduce the error* A complete HijackThis scan log, if possible

This message has been copied to your clipboard.Click OK to continue the rest of the scan.***************

2. I installed Spyblaster and updated and selected "ENABLE ALL PROTECTION".

QUESTION: Will this Spyware program conflict with my other Spyware programs like Microsoft AntiSpyware Beta?

3. I installed the HOSTS file. I did have an existing HOSTS file which seemed like the Windows default-it only had this in it "127.0.0.1 localhost". as per instructions on HOSTS site, I renamed my original to hosts.old and copied the new HOSTS file in.

4. I disabled SystemRestore and reset MSCONFIG to "Normal startup".

QUESTION: Should I reset System Restore back to ON??

RESULTS: Everything seems to be working fine-no popups now.....I'm crossing my fingers but I'm excited If it works like this for another day I'll certainly donate to your site.

ONE LAST QUESTION: Recently also when I click on links for new web sites in Explorer the window doesn't open up maximized (it always maximized before)-it opens up sort of tiled so it takes up about 1/3 of the screen so I always have to click the maximize button to get it to full screen. would you happen to know the setting to change this to always open maximized windows??

guitarguy99

Posted 20 November 2005 - 04:46 PM

guitarguy99

Member

Topic Starter

Member

12 posts

HI Cretemonster;

I reran the Panda Activescan just to see and it found 2 spyware again--is there still a problem??Here's the report:You'll note it reports something in my HEALTH file again(I did delete as you instructed but I later replaced it with a backup from a couple months ago so thought that would be fine?

guitarguy99

Posted 20 November 2005 - 05:49 PM

I went to SAFE mode and deleted the HEALTH file. Then did WinPFind scan-here's the log:WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.Scan completed on 20/11/2005 3:06:58 PM***********************************************Then I did the HiJackThis instructions to create a copy of HOSTS-here it is:# This MVPS HOSTS file is a free download from: ## http://www.mvps.org/winhelp2002/ ## ## Notes: the browser does not read this "#" symbol ## You can create your own notes, after the # symbol ## This *must* be the first line: 127.0.0.1 localhost ## ********************************************************## ------------------Updated: 11-15-05---------------------## ********************************************************## Entries marked with Parasite or Trojan comments should ## be placed in the Internet Explorer Restricted Zone. ## http://mvps.org/winh.../restricted.htm ## ## Entries with other comments are searchable via Google. ## ## Disclaimer: this file is free to use, however it is NOT ## permitted to post on any other site without permission. ## ## This work is licensed under the Creative Commons ## Attribution-NonCommercial-ShareAlike License. ## http://creativecommo...s/by-nc-sa/2.0/ #

guitarguy99

Posted 20 November 2005 - 05:52 PM

guitarguy99

Member

Topic Starter

Member

12 posts

Hi-looks like my last post was cutoff so here's a repost of HOSTS file from HiJackThis:

# This MVPS HOSTS file is a free download from: ## http://www.mvps.org/winhelp2002/ ## ## Notes: the browser does not read this "#" symbol ## You can create your own notes, after the # symbol ## This *must* be the first line: 127.0.0.1 localhost ## ********************************************************## ------------------Updated: 11-15-05---------------------## ********************************************************## Entries marked with Parasite or Trojan comments should ## be placed in the Internet Explorer Restricted Zone. ## http://mvps.org/winh.../restricted.htm ## ## Entries with other comments are searchable via Google. ## ## Disclaimer: this file is free to use, however it is NOT ## permitted to post on any other site without permission. ## ## This work is licensed under the Creative Commons ## Attribution-NonCommercial-ShareAlike License. ## http://creativecommo...s/by-nc-sa/2.0/ #